Evaluating the Authenticity of Smartphone Evidence

  • Heloise Pieterse
  • Martin Olivier
  • Renier van Heerden
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 511)


The widespread use and rich functionality of smartphones have made them valuable sources of digital evidence. Malicious individuals are becoming aware of the importance of digital evidence found on smartphones and may be interested in deploying anti-forensic techniques to alter evidence and thwart investigations. It is, therefore, important to establish the authenticity of smartphone evidence.

This chapter focuses on digital evidence found on smartphones that has been created by smartphone applications and the techniques that can be used to establish the authenticity of the evidence. In order to establish the authenticity of the evidence, a better understanding of the normal or expected behavior of smartphone applications is required. This chapter introduces a new reference architecture for smartphone applications that models the components and the expected behavior of applications. Seven theories of normality are derived from the reference architecture that enable digital forensic professionals to evaluate the authenticity of smartphone evidence. An experiment conducted to examine the validity of the theories of normality indicates that the theories can assist forensic professionals in identifying authentic smartphone evidence.


Smartphone forensics Evidence Authenticity Reference architecture 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Al-Hadadi, M., AlShidhani, A.: Smartphone forensics analysis: A case study. International Journal of Computer and Electrical Engineering 5(6), 576–580 (2013)CrossRefGoogle Scholar
  2. [2]
  3. [3]
    Android Developers, Storage Options (2016).
  4. [4]
    Bader, M., Baggili, I.: iPhone 3GS forensics: Logical analysis using Apple iTunes Backup Utility. Small Scale Digital Device Forensics Journal 4(1) (2010)Google Scholar
  5. [5]
    Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press, Waltham (2011)Google Scholar
  6. [6]
    Cohen, F.: Digital Forensic Evidence Examination. Fred Cohen & Associates, Livermore (2009)Google Scholar
  7. [7]
    Curran, K., Robinson, A., Peacocke, S., Cassidy, S.: Mobile phone forensic analysis. In: Li, C., Ho, A. (eds.) Crime Prevention Technologies and Applications for Advancing Criminal Investigations. IGI Global, Hershey, Pennsylvania, pp. 250–262 (2012)Google Scholar
  8. [8]
    Eixelsberger, W., Ogris, M., Gall, H., Bellay, B.: Software architecture recovery of a program family. In: Proceedings of the Twentieth International Conference on Software Engineering, pp. 508–511 (1998)Google Scholar
  9. [9]
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the Sixteenth ACM Conference on Computer and Communications Security, pp. 235–245 (2009)Google Scholar
  10. [10]
    Freiling, F., Spreitzenbarth, M., Schmitt, S.: Forensic analysis of smartphones: the Android Data Extractor Lite (ADEL). In: Proceedings of the ADFSL Conference on Digital Forensics, Security and Law, pp. 151–160 (2011)Google Scholar
  11. [11]
    Garfinkel, S.: Anti-forensics: techniques, detection and countermeasures. In: Proceedings of the Second International Conference on i-Warfare and Security, pp. 77–84 (2007)Google Scholar
  12. [12]
    Goadrich, M., Rogers, M.: Smart smartphone development: iOS versus Android. In: Proceedings of the Forty-Second ACM Technical Symposium on Computer Science Education, pp. 607–612 (2011)Google Scholar
  13. [13]
    Govindaraj, J., Verma, R., Mata, R., Gupta, G.: iSecureRing: Forensic-ready secure iOS apps for jailbroken iPhones. Poster paper presented at the IEEE Symposium on Security and Privacy (2014)Google Scholar
  14. [14]
    Grosskurth, A., Godfrey, M.: A reference architecture for web browsers. In: Proceedings of the Twenty-First IEEE International Conference on Software Maintenance, pp. 661–664 (2005)Google Scholar
  15. [15]
    Hannon, M.: An increasingly important requirement: Authentication of digital evidence. Journal of the Missouri Bar 70(6), 314–323 (2014)Google Scholar
  16. [16]
    Harris, R.: Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. Digital Investigation 3(S), S44–S49 (2006)Google Scholar
  17. [17]
    Hassan, A., Holt, R.: A reference architecture for web servers. In: Proceedings of the Seventh Working Conference on Reverse Engineering, pp. 150–159 (2000)Google Scholar
  18. [18]
    International Data Corporation Research, Smartphone Growth Expected to Drop to Single Digits in 2016, Led by China’s Transition from Developing to Mature Market, According to IDC. Press Release, Framingham, Massachusetts, March 3, 2016Google Scholar
  19. [19]
    Iulia-Maria, T., Ciocarlie, H.: Best practices in iPhone programming: model-view-controller architecture – carousel component development. In: Proceedings of the International Conference on Computer as a Tool (2011)Google Scholar
  20. [20]
    Jacobs, B.: iOS from Scratch with Swift: Data Persistence and Sandboxing on iOS, Envato Tuts+, December 25, 2015.
  21. [21]
    Joorabchi, M., Mesbah, A.: Reverse engineering iOS mobile applications. In: Proceedings of the Nineteenth Working Conference on Reverse Engineering, pp. 177–186 (2012)Google Scholar
  22. [22]
    Kubi, A., Saleem, S., Popov, O.: Evaluation of some tools for extracting e-evidence from mobile devices. In: Proceedings of the Fifth International Conference on the Application of Information and Communication Technologies (2011)Google Scholar
  23. [23]
    Lessard, J., Kessler, G.: Android forensics: Simplifying cell phone examinations. Small Scale Digital Device Forensics Journal 4(1) (2010)Google Scholar
  24. [24]
    Losavio, M.: Non-technical manipulation of digital data. In: Pollitt, M., Shenoi, S. (eds.) DigitalForensics 2005. ITIFIP, vol. 194, pp. 51–63. Springer, Boston (2006). doi: 10.1007/0-387-31163-7_5 CrossRefGoogle Scholar
  25. [25]
    Miller, C.: Mobile attacks and defense. IEEE Security and Privacy 9(4), 68–70 (2011)CrossRefGoogle Scholar
  26. [26]
    Pieterse, H., Olivier, M., van Heerden, R.: Playing hide-and-seek: detecting the manipulation of android timestamps. In: Proceedings of the Information Security for South Africa Conference (2015)Google Scholar
  27. [27]
    Pieterse, H., Olivier, M., van Heerden, R.: Reference architecture for Android applications to support the detection of manipulated evidence. SAIEE Africa Research Journal 107(2), 92–103 (2016)Google Scholar
  28. [28]
    Prasad, A.: Android to rule smartphone market with 85% share in 2020 says IDC report, International Business Times, March 5, 2016Google Scholar
  29. [29]
    Sporea, I., Aziz, B., McIntyre, Z.: On the availability of anti-forensic tools for smartphones. International Journal of Security 6(4), 58–64 (2012)Google Scholar
  30. [30]
    Thomson, L.: Mobile devices: New challenges for admissibility of electronic evidence. Scitech Lawyer 9(3) (2013)Google Scholar
  31. [31]
    Verma, R., Govindaraj, J., Gupta, G.: Preserving dates and timestamps for incident handling in android smartphones. In: Peterson, G., Shenoi, S. (eds.) DigitalForensics 2014. IAICT, vol. 433, pp. 209–225. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44952-3_14 Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Heloise Pieterse
    • 1
  • Martin Olivier
    • 1
  • Renier van Heerden
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa

Personalised recommendations